"hard core" linux

Paul A Houle ph18 at cornell.edu
Thu Aug 18 18:22:26 UTC 2005 

Russell Coker wrote:

>Sure, if you are prepared to pull out so much desktop stuff then that's a 
>possibility.  I was assuming that you wouldn't want to make such radical 
>changes.
>
>  
>
    I'll have to try it and see how bad it is.  I've got an "everything 
install" of FC4 that I can do surgery on.

    If I have to destroy my desktop to excise the media player,  then 
there are too many dependencies -- and it's starting to feel like 
Microsoft territory,  where Microsoft went on for years insisting that 
it was impossible to sell Windows w/o Windows Media Player.

>Surely there's a way of preventing that, I don't know enough about rpm 
>dependencies to know how to do it, but it must be possible.
>
>  
>
    I'll have to look into that.

>Also if you install tar-balls in /usr/local then you have no way of tracking 
>files and versions which may have security implications if there are SUID or 
>SGID programs.
>  
>
    I never install binary tarballs in /usr/local unless there's a 
reason why I can't build it myself.

    The configuration management problem for files managed by sysadmins 
is a general problem.  Just the other day me and another sysadmin on a 
Solaris system were wondering who added a user to /etc/passwd.  It 
wasn't a security problem,  but the user who created it didn't go 
through the right channels to create users.  It would be nice to be able 
to see who did it when.  There's tripwire (too slow,  too hard to 
configure) and a number of lightweight imitators.  Type-A sysadmins 
probably like systems like tripwire,  but I'd rather have some 
dnotify-based 'spyware' that keeps track of what I have in /usr/local/

    You also take risks running out of rpm -- unless you're willing to 
make your own rpms (all the same work to compile from source and then 
some) you have to wait for somebody else to package something as an 
rpm.  For instance,  I'd never run the Apache rpm that comes with 
Fedora/RHEL on a production system because I like to know what's in my 
Apache...  Fedora seems to be a bit fresher,  but I doubt that RHEL has 
updated Apache 2 promptly with every version that comes out -- and I had 
a rough ride with Apache 2 until 2.0.54.

    If I had to maintain a large cluster of machines,  I might have a 
different opinion.

    That said,  media players ~are~ pretty dangerous,  since they play 
files that people get off the net -- we've seen exploits against zlib,  
winamp....  (Although stackguard is going to help and more people will 
try to hit Win32 than Linux.)

More information about the fedora-devel-list mailing list